14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf

General

Target

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Size

4.4MB
MD5

15ae1218c1c773497a6a5e6db8d11922
SHA1

8596dbd6e5e7dfdfbacd04051d192dd597d72b67
SHA256

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf
SHA512

57c417052ace7f7e1b4c60da0549e733e6e1bcc35c3c952a0595501248ef25a801e71148d55334aeb38c57a9ecb851476f7c34fab86ee00d319e95ac79f4c45b
SSDEEP

49152:yb9BphIVBmo8cBBThHHCrmYVzZLbdIo0MaN5EyKktGH5R7of01N:ipCmo/CrmyVYEqGZR7n

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

548 powershell.exe

pid	process
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe
Token: SeSystemProfilePrivilege	1468	wmic.exe
Token: SeSystemtimePrivilege	1468	wmic.exe
Token: SeProfSingleProcessPrivilege	1468	wmic.exe
Token: SeIncBasePriorityPrivilege	1468	wmic.exe
Token: SeCreatePagefilePrivilege	1468	wmic.exe
Token: SeBackupPrivilege	1468	wmic.exe
Token: SeRestorePrivilege	1468	wmic.exe
Token: SeShutdownPrivilege	1468	wmic.exe
Token: SeDebugPrivilege	1468	wmic.exe
Token: SeSystemEnvironmentPrivilege	1468	wmic.exe
Token: SeRemoteShutdownPrivilege	1468	wmic.exe
Token: SeUndockPrivilege	1468	wmic.exe
Token: SeManageVolumePrivilege	1468	wmic.exe
Token: 33	1468	wmic.exe
Token: 34	1468	wmic.exe
Token: 35	1468	wmic.exe
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe
Token: SeSystemProfilePrivilege	1468	wmic.exe
Token: SeSystemtimePrivilege	1468	wmic.exe
Token: SeProfSingleProcessPrivilege	1468	wmic.exe
Token: SeIncBasePriorityPrivilege	1468	wmic.exe
Token: SeCreatePagefilePrivilege	1468	wmic.exe
Token: SeBackupPrivilege	1468	wmic.exe
Token: SeRestorePrivilege	1468	wmic.exe
Token: SeShutdownPrivilege	1468	wmic.exe
Token: SeDebugPrivilege	1468	wmic.exe
Token: SeSystemEnvironmentPrivilege	1468	wmic.exe
Token: SeRemoteShutdownPrivilege	1468	wmic.exe
Token: SeUndockPrivilege	1468	wmic.exe
Token: SeManageVolumePrivilege	1468	wmic.exe
Token: 33	1468	wmic.exe
Token: 34	1468	wmic.exe
Token: 35	1468	wmic.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe
Token: 35	984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.execmd.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 1468	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1348 wrote to memory of 1468	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1348 wrote to memory of 1468	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1348 wrote to memory of 588	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1348 wrote to memory of 588	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1348 wrote to memory of 588	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 588 wrote to memory of 984	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 984	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 984	588	cmd.exe	WMIC.exe
PID 1348 wrote to memory of 1848	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1348 wrote to memory of 1848	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1348 wrote to memory of 1848	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1848 wrote to memory of 936	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 936	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 936	1848	cmd.exe	WMIC.exe
PID 1348 wrote to memory of 548	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	powershell.exe
PID 1348 wrote to memory of 548	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	powershell.exe
PID 1348 wrote to memory of 548	1348	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
"C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\X1Yx9AZsXN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3384eba73041deabe08d3f8f6651b96e

SHA1
7426320b0a14562a6eb4eeb506fb894cde103b1d

SHA256
64e6c826da1bdef95c3165b8d27c2b0240ac18811b809f0347c10fcbec39d91a

SHA512
4c3a09089b2483420781d0cc6c36c868f211294d1f26fcea86d568c2d5c77f5d01d7288da3ae18aeaee1108365753d8b431370f3eb45034dbdf789c5f108ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1CF6.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D85.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\X1Yx9AZsXN.exe
Filesize
11KB

MD5
62b550b5126aef702365dc3fb55f43d1

SHA1
4b67bc871ed9f2c77cd244e3b4d3b2f3f0f9d8d1

SHA256
3a987bfb28c841f88432d10dc4f89495121af54c9c36dc4b43c89420ba2a857b

SHA512
a8db01a9610abb1e35c24717d245231d6d122848004c2041a61f0e090d11f5d6918aa7882a20d950802a858b08e6004f012c5a813ebe800ff7618e7591676565

Download Submit
memory/548-151-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/548-152-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/548-154-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/548-155-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/548-156-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads